keytab(1m) Open Software Foundation keytab(1m)
NAME [Toc] [Back]
keytab - A dcecp object that manages server passwords on DCE hosts
SYNOPSIS [Toc] [Back]
keytab add keytab_name_list -member principal_name_list
{-key plain_key -version key_version [-registry] |
-random -registry [-version key_version] }
[-ktname residual_keytab_name] [-noprivacy] [-local]
keytab catalog [host_name_list] [-simplename] [-noprivacy]
[-local]
keytab create keytab_name_list
{-attribute attribute_list | -attribute value}
[-ktname residual_keytab_name] [-entry] [-noprivacy] [-local]
keytab delete keytab_name_list [-entry] [-noprivacy]
[-ktname residual_keytab_name] [-local]
keytab help [operation | -verbose]
keytab list keytab_name_list [-noprivacy]
[-ktname residual_keytab_name] [-local]
keytab operations
keytab remove keytab_name_list -member principal_name_list
[-version key_version_list] [-type key_type] [-noprivacy]
[-ktname residual_keytab_name] [-local]
keytab show keytab_name_list [-entry | -members]
[-keys] [-ktname residual_keytab_name] [-noprivacy] [-local]
ARGUMENTS [Toc] [Back]
host_name_list
A list of one or more DCE host names specifying hosts for
which to catalog key tables. Host names can be in any of
the following forms:
/.:/hosts/hostname
/.../cell_name/hosts/hostname
hosts/hostname
The name can also be a single string binding representing
the host with which to communicate. See keytab_name_list
for more information.
Hewlett-Packard Company - 1 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
keytab(1m) Open Software Foundation keytab(1m)
keytab_name_list
A list of one or more names of key tables to operate on.
Key table names are similar to other dced objects with the
following form:
/.../cell/hosts/hostname/config/keytab/name
The name can also be a single string binding representing
the host with which to communicate. For example:
{ncacn_ip_tcp 130.105.1.227}
A string binding is useful when the name service is not
operating and cannot translate the other forms of host
names. If you supply a single string binding, you must use
the -ktname option to specify the object's residual name.
operation The name of the keytab operation for which to display help
information.
DESCRIPTION [Toc] [Back]
The keytab object represents key tables (usually files) that store
server keys (and key version numbers) on hosts. These key tables are
manipulated remotely by using dced. The keys are considered members
of the key table container. The keytab names are in the form
/.../cell_name/hosts/hostname/config/keytab/name
A key table has a set of keys. Each key contains a principal name,
type, version, and value. The value can be created and changed, but
is never shown on output. Removal of a key is based on the name,
type, and version number. The syntax of a key is a list of
principal_name, type (plain or des), version (a non-negative integer),
and value. The value of a des key is 64 bits long and can be
represented in dcecp as an Extended Registry Attribute (ERA) of type
byte (refer to the xattrschema attributes for details). The value is
valid on input, but is not displayed on output so that keys are not
shown on the screen. For example:
melman des 1 key1
melman plain 3 key2
Multiple keys for the same principal are displayed as separate keys.
ATTRIBUTES [Toc] [Back]
uuid value
A Universal Unique Identifier (UUID) that is the internal
Hewlett-Packard Company - 2 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
keytab(1m) Open Software Foundation keytab(1m)
identifier for the key table's configuration information
kept by dced. If the UUID is not specified when the key
table is created, one is generated automatically. This
attribute cannot be modified after it is created.
annotation string
A human-readable comment field in Portable Character Set
(PCS) format. This attribute cannot be modified after
creation. It defaults to a null string (that is, blank).
storage string
The name of the key table (usually a filename). It is
required and may not be modified after creation.
data key_list
The contents of the key table. Represented as a list of
keys.
See the OSF DCE Administration Guide for more information about keytab
attributes.
OPERATIONS [Toc] [Back]
keytab add
Adds members to a key table. The syntax is as follows:
keytab add keytab_name_list -member principal_name_list
{-key plain_key -version key_version [-registry] |
-random -registry [-version key_version] }
[-ktname residual_keytab_name] [-noprivacy] [-local]
Options [Toc] [Back]
-member principal_name_list
List of principal names to be added to each key table in the
argument.
-registry Updates the principal's key in the registry as well as on
the host. Required if the -random option is used.
-random Generates a random des key. Cannot be used with the -key
option.
-key plain_key
Specifies a key explicitly. Cannot be used with the -random
option.
-version key_version
Specifies a version number for the key. Required if the
Hewlett-Packard Company - 3 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
keytab(1m) Open Software Foundation keytab(1m)
-registry option is not used.
-ktname residual_keytab_name
Specifies the keytab object to add members to. If you use
this option, you must specify keytab_name_list as a string
binding. See ARGUMENTS for more information about
specifying a string binding for keytab_name_list.
-local Specifies that the add operation operates on local files
only.
-noprivacy
Specifies that keytables are sent over the network
unencrypted.
The add operation adds members to key tables. The argument is a list
of names of key tables to which members should be added. The required
-member option lists principal names to be added to each key table in
the keytab_name_list argument. If the principals named do not exist,
the command will return an error. The operation adds each principal
name and its key to the key table.
Use either the -random option to have dcecp generate a random des key
or the -key option to specify a plain key explicitly. The same key
(whether specified or randomly generated) is used for all principals
being added to all key tables. The -registry option updates the
principal's key in the key table and in the registry. The -registry
option is required if -random is used. The -version option specifies
the version number of the key. You must specify either -registry or
-version or both on any keytab add command. The -ktname option is
used to identify the specific key table to operation on, but only when
the argument is a string binding representing a host, not the fully
qualified key table name. This operation returns an empty string on
success.
Privileges Required [Toc] [Back]
You must have a (auth_info) permission to the keytab object.
Examples [Toc] [Back]
dcecp> keytab add /.:/hosts/medusa/config/keytab/radiology \
> -member melman -random -registry
dcecp>
dcecp> keytab add /.:/hosts/medusa/config/keytab/radiology \
> -member melman -key yrrebnesor
dcecp>
dcecp> keytab add ncacn_ip_tcp:15.22.24.145 -ktname radiology \
Hewlett-Packard Company - 4 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
keytab(1m) Open Software Foundation keytab(1m)
> -member melman -random -registry
dcecp>
keytab catalog
Returns a list of the names of all key tables on the specified host.
The syntax is as follows:
keytab catalog [host_name_list] [-simplename] [-noprivacy]
[-local]
Options [Toc] [Back]
-simplename
Returns key table names without prepending the cell name.
-noprivacy
Specifies the key tables sent over the network are not
encrypted.
-local Specifies that the catalog operation operates on local files
only.
The catalog operation returns a list of the names of all key tables on
the host specified in the argument. The argument can be a list of one
or more host names or a single string binding that identifies a host.
If a host name is not specified, the current host is used. If the
argument is a list, the output is concatenated. The return order is
arbitrary.
Privileges Required [Toc] [Back]
You must have r (read) permission to the keytab object on the host.
Examples [Toc] [Back]
dcecp> keytab catalog
/.../pokey/hosts/jimbo/config/keytab/self
dcecp>
keytab create
Creates a key table. The syntax is as follows:
keytab create keytab_name_list
{-attribute attribute_list | -attribute value}
[-ktname residual_keytab_name] [-entry] [-noprivacy] [-local]
Hewlett-Packard Company - 5 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
keytab(1m) Open Software Foundation keytab(1m)
Options [Toc] [Back]
-attribute value
As an alternative to using the -attribute option with an
attribute list, you can specify individual attribute options
by prepending a hyphen (-) to any attributes listed in the
ATTRIBUTES section of this reference page.
-attribute attribute_list
Allows you to specify attributes by using an attribute list
rather than individual attribute options. The format of an
attribute list is as follows:
{{attribute value}...{attribute value}}
-ktname residual_keytab_name
Specifies the keytab object to create. If you use this
option, you must specify keytab_name_list as a string
binding. See ARGUMENTS for more information about
specifying a string binding for keytab_name_list.
-local Specifies that the create operation operates on local files
only.
-noprivacy
Specifies that key tables are sent over the network
unencrypted.
The create operation creates a key table. The argument is a list of
names of key tables to be created. The command takes an -attribute
option to specify configuration information for dced. The -ktname
option is used to identify the specific key table to operation on, but
only when the argument is a string binding representing a host, not
the fully qualified key table name. The contents of the key table can
be specified via the data attribute. The value of the option is
applied to all elements of the argument list. This operation returns
an empty string on success.
The value of the data attribute, if specified, is a list of keys.
Each key must have a principal name and key type. The version is
optional; if it is not present, the system generates a version of 1.
If the key type is plain, a key value must be specified. If the key
type is des and a key value is not specified, one will be randomly
generated.
Privileges Required [Toc] [Back]
Hewlett-Packard Company - 6 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
keytab(1m) Open Software Foundation keytab(1m)
You must have i (insert) permission to the keytab object on the host.
Examples [Toc] [Back]
The following example creates two keys for user melman and one key for
danahy on host medusa. One of melman's keys is an automatically
generated Data Encryption Standard (DES) key. Both melman's second key
and danahy's key are manually entered keys.
dcecp> keytab create /.:/hosts/medusa/config/keytab/radiology -attribute { \
> {{storage /opt/dcelocal/keys/radiology} {data {{melman des} \
> {melman plain 3 key2} {danahy des 2 key3}}}}
dcecp>
dcecp> keytab create ncacn_ip_tcp:15.22.24.145 -ktname radiology \
> -storage /tmp/keys/radiology -data {melman plain 3 key2}
dcecp>
keytab delete
Deletes a key table entry and its data. The syntax is as follows:
keytab delete keytab_name_list [-entry] [-noprivacy]
[-ktname residual_keytab_name] [-local]
Options [Toc] [Back]
-entry Specifies that only the configuration information that dced
keeps is deleted, not the actual key table.
-ktname residual_keytab_name
Specifies the keytab object to delete. If you use this
option, you must specify keytab_name_list as a string
binding. See ARGUMENTS for more information about
specifying a string binding for keytab_name_list.
-noprivacy
Specifies that key tables are sent over the network
unencrypted.
-local Specifies that the delete operation operates on local files
only.
The delete operation deletes a key table entry and its data. The
argument is a list of names of key table entries to be deleted in the
order specified. If the -entry option is present, only the
configuration information that dced keeps is deleted, not the actual
key table. The -ktname option is used to identify the specific key
Hewlett-Packard Company - 7 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
keytab(1m) Open Software Foundation keytab(1m)
table to operation on, but only when the argument is a string binding
representing a host, not the fully qualified key table name. This
operation returns an empty string on success.
Privileges Required [Toc] [Back]
You must have d (delete) permission to the keytab object. If you are
removing the key table, you must have D (Delete_object) permission to
the keytab object as well.
Examples [Toc] [Back]
dcecp> keytab delete /.:/hosts/medusa/config/keytab/radiology
dcecp>
dcecp> keytab delete ncacn_ip_tcp:15.22.24.145 -ktname radiology
dcecp>
keytab help
Returns help information about the keytab object and its operations.
The syntax is as follows:
keytab help [operation | -verbose]
Options [Toc] [Back]
-verbose Displays information about the keytab object.
Used without an argument or option, the keytab help command returns
brief information about each keytab operation. The optional operation
argument is the name of an operation about which you want detailed
information. Alternatively, you can use the -verbose option for more
detailed information about the keytab object itself.
Privileges Required [Toc] [Back]
No special privileges are needed to use the keytab help command.
Examples [Toc] [Back]
dcecp> keytab help
add Adds keys into a key table.
catalog Returns the list of key table names.
create Creates a new key table entry and its keys.
delete Deletes a key table and its associated data.
list Lists all principals in a specified key table.
remove Removes keys from a key table.
Hewlett-Packard Company - 8 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
keytab(1m) Open Software Foundation keytab(1m)
show Returns the list of keys of a key table.
help Prints a summary of command-line options.
operations Returns a list of the valid operations for this command.
dcecp>
keytab list
Returns a list of all the principals in the specified key table. The
syntax is as follows:
keytab list keytab_name_list [-noprivacy]
[-ktname residual_keytab_name] [-local]
Options [Toc] [Back]
-ktname residual_keytab_name
Specifies the keytab object to list. If you use this
option, you must specify keytab_name_list as a string
binding. See ARGUMENTS for more information about
specifying a string binding for keytab_name_list.
-noprivacy
Specifies that key tables are sent over the network
unencrypted.
-local Specifies that the list operation operates on local files
only.
The list operation returns a list of all the principals in the
specified key table. If the argument is a list of key table names,
the output is concatenated and a blank line inserted between key
tables. The -ktname option is used to identify the specific key table
to operation on, but only when the argument is a string binding
representing a host, not the fully qualified key table name.
Privileges Required [Toc] [Back]
You must have r (read) permission to the keytab object on the host.
Examples [Toc] [Back]
dcecp> keytab list /.:/hosts/medusa/config/keytab/self
/.../mycell/hosts/medusa/self
/.../mycell/hosts/medusa/cds-server
/.../mycell/hosts/medusa/cds-server
dcecp>
dcecp> keytab list ncacn_ip_tcp:15.22.24.145 -ktname self
/.../mycell/hosts/medusa/self
Hewlett-Packard Company - 9 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
keytab(1m) Open Software Foundation keytab(1m)
/.../mycell/hosts/medusa/cds-server
/.../mycell/hosts/medusa/cds-server
dcecp>
keytab operations
Returns a list of the operations supported by the keytab object. The
syntax is as follows:
keytab operations
The list of available operations is in alphabetical order except for
help and operations, which are listed last.
Privileges Required [Toc] [Back]
No special privileges are needed to use the keytab operations command.
Examples [Toc] [Back]
dcecp> keytab operations
add catalog create delete list remove show help operations
dcecp>
keytab remove
Removes a member from a key table. The syntax is as follows:
keytab remove keytab_name_list -member principal_name_list
[-version key_version_list] [-type key_type] [-noprivacy]
[-ktname residual_keytab_name] [-local]
Options [Toc] [Back]
-member principal_name_list
Specifies a list of one or more principal names of members
to be removed from the key table.
-version key_version_list
Specifies a version number for the key.
-type key_type
Specifies whether the key is a des (data encryption
standard) key or a plain key.
-ktname residual_keytab_name
Specifies the keytab object to use during the remove
operation. If you use this option, you must specify
Hewlett-Packard Company - 10 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
keytab(1m) Open Software Foundation keytab(1m)
keytab_name_list as a string binding. See ARGUMENTS for
more information about specifying a string binding for
keytab_name_list.
-noprivacy
Specifies that key tables are sent over the network
unencrypted.
-local Specifies that the remove operation operates on local files
only.
The remove operation removes members from a key table. The argument
is a list of names of key tables from which to remove members. The
value of the required -member option is a list of names of principals
to be removed from the key tables listed in the argument. The -
version and -type options can be used to limit the keys removed. If
either or both of these options is present, then only keys matching
the values of these options are removed. The value of the -version
option can be a list of version numbers. The -ktname option is used
to identify the specific key table to operation on, but only when the
argument is a string binding representing a host, not the fully
qualified key table name. This operation returns an empty string on
success.
Privileges Required [Toc] [Back]
You must have x (execute) permission to the keytab object on the host.
Examples [Toc] [Back]
The following examples remove all des keys for principal D_Britt:
dcecp> keytab remove /.:/hosts/jimbo/config/keytab/self -member D_Britt -type des
dcecp>
dcecp> keytab remove ncacn_ip_tcp:15.22.24.145 -ktname self -member D_Britt -type des
dcecp>
keytab show
Returns an attribute list of the key table entries specified in the
argument. The syntax is as follows:
keytab show keytab_name_list [-entry | -members]
[-keys] [-ktname residual_keytab_name] [-noprivacy] [-local]
Options [Toc] [Back]
Hewlett-Packard Company - 11 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
keytab(1m) Open Software Foundation keytab(1m)
-entry Returns only the configuration information that dced keeps,
not the actual key table data.
-members Specifies that only the data attribute of each entry be
returned.
-keys Returns the actual values of keys.
-noprivacy
Specifies that key tables are sent over the network
unencrypted.
-ktname residual_keytab_name
Specifies the keytab object for which to show information.
If you use this option, you must specify keytab_name_list as
a string binding. See ARGUMENTS for more information about
specifying a string binding for keytab_name_list.
-local Specifies that the show operation operates on local files
only.
The show operation returns an attribute list of the key tables
specified in the argument. The argument is a list of names of key
tables. If the operation is called without the -entry option, the data
attribute is not returned. If the optional -members option is given,
only the value of the data attribute is returned (a list of keys).
Keys are not normally returned unless the -keys option is used. If
the argument is a list, the output is concatenated and a blank line
inserted between key tables. The -ktname option is used to identify
the specific key table to operation on, but only when the argument is
a string binding representing a host, not the fully qualified key
table name.
Privileges Required [Toc] [Back]
You must have r (read) permission to the keytab object on the host.
Examples [Toc] [Back]
dcecp> keytab show /.:/hosts/medusa/config/keytab/radiology -members
{melman des 1}
{melman plain 3}
{danahy des 2}
dcecp>
dcecp> keytab show ncacn_ip_tcp:15.22.24.145 -ktname radiology -members
{melman des 1}
{melman plain 3}
{danahy des 2}
dcecp>
Hewlett-Packard Company - 12 OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96
keytab(1m) Open Software Foundation keytab(1m)
RELATED INFORMATION [Toc] [Back]
Commands: dcecp(1m), dcecp_xattrschema(1m), dced(1m).
Hewlett-Packard Company - 13 -�OSF DCE 1.1/HP DCE 1.8 PHSS_26394-96 [ Back ] |
